Primary

Context

wpForo SQL Injection Vulnerability in Topics ORDER BY Clause

Vulnerability

Patched

A SQL injection vulnerability has been identified in the wpForo WordPress plugin, specifically in version 2.4.14. The issue arises in the Topics::get_topics() function, where the ORDER BY clause is vulnerable to injection attacks. This vulnerability is due to inadequate sanitization of unquoted identifiers, allowing attackers to exploit the wpfob parameter with CASE WHEN payloads. This exploitation enables blind boolean extraction of credentials from the WordPress database.

Impact

Exploitation of this vulnerability allows for unauthenticated SQL injection, with the potential for blind boolean-based extraction of data, such as user credentials, from the WordPress database.

Added: Feb 28, 2026, 10:18 PM

Updated: Feb 28, 2026, 10:18 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

8.3

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

8.3

remediation

7.7

relevance

3.7

threat

0.0

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

wpForo SQL Injection Vulnerability in Topics ORDER BY Clause

Vulnerability

Impact

Affected Products

wpForo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating